Many thanks
Mouse
BUMP
BUMP
Just got the same for c:\program files\launch manager\WisSvcCtrl.exe
CIS detected file as "TrojWare.Win32.TrojanProxy.Horst~A@25568489
When analysis of file on VirusTotal - Comodo was only one to detect it as suspicious
Whereas CAMAS detected it as “Undetected”
Presumably Undetected means that it was a Missed Sample or it’s presuming that CIS didn’t detect it since your submitting the file?
E
Yes this is puzzling. What is a missed sample?
I’ve now had 5-6 viruses flagged (probably incorrectly) by CIS. In each case CAMAS has said ‘undetected’, and given other results that suggest that CAMAS could not fully access the processes involved.
Before testing with CAMAS I have typically ‘excluded’ the files in CIS to prevent CIS popping up when CAMAS tries to access the files. However I wonder whether what is happening is that CAMAS is trying to access files or resources related to them which CIS is controlling?
Seems to me that this - checking CIS - is a key way people are going to want to use CAMS, so it would be good to ubnderstand what is happening.
Many thanks
Mouse
I think it means that malware can bypass CAMAS with (simple) injecting into other processes
P.S i’m about malware in 3d post.
P.P.S And this is cmd.exe, signed by microsoft corp. http://camas.comodo.com/cgi-bin/submit?file=c45a09fa5d6f9e58bc46e26bd1bfe9777fd7a513f692f5e6602bc751da8b4a7e It seems “undected” means that file isnt suspicious or malware, IMHO
Somehow I think we ought to know…
Could Melih or someone working on CIMA clarify please?
Many thanks in anticipation
Mouse
I’ve posted in Malware Research Group so hopefully someone will shed some more light on things.
E
Hi,
When CAMAS gives verdict as ‘undetected’ it means, it didn’t find any malware behavior upon it’s execution as shown in complete report.
Both CAMAS URLs mentioned in this post give execution report where you can see nothing is suspicious as per report and therefore verdict is undetected.
Thanks
-umesh
Thanks that’s great.
Could it maybe say instead ‘No malware behaviour detected, based on analysis above’?
Also wondered what ‘process is active’ meant. Does it mean ‘Cannot do much analysis because the process is currently running on your computer?’ When it says this it seems not to give much information. Alternatively maybe no info means ‘have run this test and it passed’?
Many thanks in anticipation
Mouse
Hi Mouse,
Could it maybe say instead 'No malware behaviour detected, based on analysis above'?Yes, that's actually undetected means. We will change to this.
Also wondered what 'process is active' meant. Does it mean 'Cannot do much analysis because the process is currently running on your computer?' When it says this it seems not to give much information. Alternatively maybe no info means 'have run this test and it passed'?CIMA has pre-defined period till which analyzes a file, a process may remain active till the end of this period or may have exited.
Thanks
-umesh
No stop here for a moment guyz … that doesn’t mean that the file is not a malware … take this analysis for example …
it says undetected …However … because i know what this file does …i can surly say it’s a trojan Downloader …
;D ;D ;D ;D … in conclusion , be careful …
Re ‘undetected’, thanks that’s great & very clear. Re other posters comment I think ‘based on the analysis above’ is a sufficient qualification. (I guess at the level of precision that CIMA operates - its what is downloded, not the downloder that’s the malware?).
Sorry to be dense but still don’t understand the explanation regarding active processes - what process exits (or does not) and what is the significance of it exiting (or not?). Hope you can help I’m not a malware expert unfortunately.
Many thanks in anticipation. Really realising the value of CIMA now I am coming to understand it! Just need a bit better explanation for mere mortals 
Mouse
Hi mouse1,
As CIMA executes a malware in virtual environment and notices all changes in system, it analyzes all changes after a given time period, you can call it time out period. When it times out, process it executed may be running (active) or may have completed (exited).
Regarding verdict, it analyzes all activities and depending on impact malware executioon made on system it gives verdict. So it can be downloader as well as downloaded application.
Thanks
-umesh
thanks for the clarification …However with coco << that’s how i like to call CIS … i shall not worry ;D
OK thanks can now use CIMA with more confidence.
So maybe say - ‘Some malicious activity may have been missed since CIMA timed out before submitted file had stopped running.’
Best wishes
Mouse
So, if “undetected” is “not malware”, and “suspicious” is “probably malware”, then what would CIMA flag a file as, if it is malware?
I am asking this because I have never submitted a malicious file to CIMA.
I think, subject to correction, that CIMA cannot flag a file as definately malware. It looks for malware-like behavoir, and so can only say this is malware-like, not that it is malware.
Best wishes
Mouse
So, it’s either suspicious for malicious or probably malicious, files, and undetected for safe files, right?
That’s as I understand it
See if the devs - if any here - say any different!
Mouse
Will the devs answer this question, please?